Show 104

SHOW104
Crispy Certificates with

Spicy SSL Salsa
Tom Truitt | Sr IT Specialist | WorkFlow Studios
© 2011 IBM Corporation

Legal
This slide presentation may contain the following copyrighted, trademarked,
and/or restricted terms:
● IBM® Lotus® Domino®, IBM® Lotus® Notes®, IBM Lotus Symphony®,
LotusScript®
● Microsoft® Windows®, Internet Explorer®, Microsoft Office®
● Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
● Symantec Corporation®, VeriSign, Inc.®, Thawte, Inc.®, GeoTrust®,

GoDaddy.com, Inc.®
© 2011 IBM Corporation 2

Session Goals
● Learn what SSL and X.509 certificates are, and why you use them.
● Learn what a Wildcard certificate is and how it potentially saves your
organization money and maintenance hassle.
● Learn the difference between self-certifying and using a 3rd Party certificate
authority and why you'd want to pay for the 3rd Party.
● Learn how to send and receive encrypted email for secure communications.
● Learn the step-by-step process of setting up all of these certificate types in your
Domino environment.

Assumptions
● You have installed and have working knowledge of the Lotus Notes
Administration Client.
● You have “Create Database” privileges in your Domino environment.
● You have at least Editor access to the Domino Directory with NetCreator and
UserCreator roles.
● Your Notes Client “Location Document” must be set for server based mail, not
local, otherwise you will receive errors when creating or modifying certificates.

Agenda
• It's a matter of Trust & Security
• Or why Certificates and SSL are necessary
• Definitions
• Using 3rd Party Certificate Authorities
• Single Host
• Multi Host with “Wildcard” SSL Certificate
• Domino's Certificate Authority (CA) 5process

• Migrating a Notes Certifier to the Domino CA
• Adding a Internet Certifier to the Domino CA
• Secure Email with S/MIME and X.509 Certificates
• Q&A
• Don't forget your evaluations

It's a matter of Trust & Security

Who do you trust?
─ How do you verify that you are connected to a server that is actually at a particular
business or site?
─ Certificates validate identity. Like a company badge to get into your office or a
driver's license or passport to get through security at the airport.
● Who would eavesdrop on the Internet “Party Line”?
─ Standard Internet communications, i.e. HTTP, SMTP are simple text transmission
protocols.
─ If someone intercepts traffic, there is nothing to prevent reading all the content of
that communication.
● With encryption, one end of the communication encrypts the traffic, and the
other end decrypts it.
● Certificates provide the keys in the encryption process.

Agenda
 It's a matter of Trust & Security
 Or why Certificates and SSL are necessary
• Definitions
• Single Host
• Domino's Certificate Authority (CA) process

• Q&A

Definitions to keep in mind
● Secure Sockets Layer (SSL) & Transport Layer Security (TLS)
● Public Key Infrastructure (PKI)
● Certificate Authority (CA)
● Certificate Signing Request (CSR)
● X.509 Digital Certificate or Public Key Certificate (PKC)

Secure Sockets Layer (SSL) &
Transport Layer Security (TLS)
● SSL & TLS are cryptographic* protocols that provide encrypted communications
securely over the Internet.
● SSL, originally developed by Netscape, is widely used to do two things:
─ Validate the identity of a Web site
─ Encrypt the connection for sending personal data over the internet
● TLS security protocol defined by the Internet Engineering Task Force (IETF) is
based on SSL 3.0. TLS uses digital certificates to authenticate the user as well
as authenticate the network.
─ The TLS client uses the public key from the server to encrypt a random number and
send it back to the server. The random number, combined with additional random
numbers previously sent to each other, is used to generate a secret session key to
encrypt the subsequent message exchange.
● Look for the Lock icon in you browser. If the lock is closed you are on a
secure SSL or TLS connection.
*Cryptography is the process of converting data into a secret code for transmission. In other words
“Plain Text” is converted into a secret code via an encryption algorithm.

Typical SSL Handshake Negotation Process
● The two sides acknowledge each
other and the browser sends a list of
algorithms it supports and a random
number to the web server.
● The server returns “Use this
algorithm” it's random number and
digital certificate.
● The browser verifies that it trust's the
server's certificate and extracts the
server's public key. It then uses that
public key to encrypt a pre-master
key and sends it to the server.
● Both client and server use the pre-
master key and exchanged random
numbers to generate the secret keys
for the rest of the session and
exchange checksums.
10
Public Key Infrastructure (PKI)
● A framework for creating a secure method of exchanging electronic information
based on public key cryptography.
● The base of a PKI is the Certificate Authority (CA) that issues digital certificates
to authenticate the identity of servers and individuals.
● PKIs are based on the public/private key pair of the CA's Root Key.
● The subject's public key, know to everyone, is used to encrypt data.
● The private or secret key is used to decrypt received data.
● If the private key of the CA's Root Key is ever compromised, all the digital
certificates created by that CA are vulnerable.
● The Key Size defines how hard the private key is to decode. The higher the
key size the harder it is to break the code.
● Common RSA Key Sizes are:
● 512, 1024 and 2048

11
Certificate Authorities (CA)s
● As stated above, The base of a PKI is the Certificate Authority (CA) that issues
digital certificates to authenticate the identity of servers and individuals.
● There are two types of CAs:
─ Trusted 3rd Party or Commercial CAs which charge to issue certificates. Their
Trusted Root certificates are included in most internet browsers.
− Think of a passport issued by your country's passport authority.
─ Self Signed or Closed System where your company is it's own CA. You control the
Root Certificate for the organization.
− Think of your company issued ID badge that lets you into your office building.

12
Trusted 3rd Party Certificate Authorities (CA)s
● Over 300 Trusted CAs are included in Internet Explorer on Windows XP.
● Most browsers already trust these authorities, so end user configuration is not
required.
● If the certifier is pre-configured as trusted in the email system, external mail
client configuration is reduced.
● Overall, the cost of supporting a 3rd Party System can be less than that of a
Closed System.
● Examples of 3rd Party CAs:
─ VeriSign, recently acquired by Symantec, has long been highly trusted by
consumers. VeriSign also owns GeoTrust and Thawte; combined they make up the
largest CA group*.
─ Go Daddy has grown rapidly over the last few years due to their aggressive pricing
model and holds the number two position per netcraft.com
─ Many other Trusted 3rd Party CAs are listed at the site below
* https://ssl.netcraft.com/ssl-sample-report//CMatch/certs

13
Self Signed or Closed System (CA)s
● You or your organization control all certificates including the Root Certificate.
● You control who you issue certificates to.
─ Think of Photos on ID badges.
● You manage the certificate structure, naming, validation and expiration.
● The major problem with a Closed CA, is it requires equipment and personnel to
manage the process and configure end user workstations.
─ Think of your “Security Department” that take photos and issue Corporate Security
badges.

14
Certificate Signing Request (CSR)
● A CSR is an application submitted to a CA for a computer or individual to obtain
a digital certificate.
● The request includes information identifying the applicant and the public key
that is generated from a public/private key pair.

15
X.509 Digital Certificate
● AKA – Digital ID or Public Key Certificate (PKC)
● X.509 is an International Telecommunications Union Transmission (ITU-T)
standard for public key infrastructure (PKI). It specifies standard formats for
public key certificates, certificate validation and certificate revocation lists.
● Digital Certificates are issued by a CA after the CA has verified that the public
key belongs to a specific subject.
● A Digital Certificate contains both CA and subject information including the
subject's public key. The CA signs the certificate by creating a digest of all the
fields in the certificate and then encrypts the digest with it's private key.
● The encrypted digest is called a “digital signature”, and when placed into the
X.509 certificate, the certificate is said to be signed.
● It's the digital equivalent of your ID card, driver's license or passport.

16
Agenda
 Definitions
• Single Host
•Multi Host with “Wildcard” SSL Certificate
• Q&A

Configuring your Domino server with a 3rd Party
SSL Certificate
1) Choosing your 3rd Party CA
2) Create a KeyRing file
3) Creating a Certificate Signing Request (CSR)
4) Retrieve SSL Certificate from Vendor
5) Trusted Root and Intermediate Certificates
6) Install Server SSL Certificate
7) Setup Domino Server for SSL

18
Choosing your 3rd Party CA & Certificate
● There are literally hundreds of 3rd Party CAs.
● Things to consider when selecting you 3rd Party CA are:
─ What type of transactions will this server be handling?
− Online commerce sites should have the strongest level of encryption and
assurance that you can afford.
− In-house, training and utility servers might be able to use a less costly
certificate.
─ Issuance Speed
─ SSL Certificate Warranty
─ Website Security Seals
─ Customer Support
● It's really up to you to determine the best vendor for your needs. The SSL
Certificate (assuming the same Key Strength) will technically work the same
whether it is created by a Self Signed CA or a premium certificate from a well
known CA. The difference is really perception and marketing.

19
SSL Certificate
 Choosing your 3rd Party CA
2) Create a KeyRing file


20
Creating a KeyRing.kyr file 1
● Create a New Folder off the root of your C:\ drive with a short folder name. My
suggestion is C:\SSL (You will be typing this path several times in the near
future)

21
● From your Notes
Client,
1) Select File
2) Open
3) Lotus Notes
Application
1) Look in Your Server

2) Select “Server Certificate
Admin” (certsrv.nsf)
3) Click “Open” Certificate
Admin – 3. Click Open

22
● When the application opens, select “1. Create Key Ring”

23
1) Type the full
path and file
name – it must
end with .kyr
2) Input and
confirm the
password.
3) Click on the
“Key Size” drop
down.

24
Key Size 5
● The larger the key size, the greater the encryption strength and therefore the
less likely a brute force attack will be able to decipher the key.
● Given the advances in computing power, some believe that it will be possible to
break a 1024-bit key in the near future.
● Some 3rd Party CAs will not accept a CSR with less than 2048 key size any
longer, and others are currently in the process of phasing out their lower sized
certificates.
● Keep in mind this could cause issues when you try to renew existing certificates
of lower key strength, in which case you will be required to create a new Key
Ring file and CSR for your servers.
● The National Institute of Standards and Technology (NIST) of the US
Government recommends certificates after 2010 should be of at least 2048 bit
key length.
● http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-
2007.pdf
● Beware - some older browsers can not support the new 2048 bit keys.
25
● Select 2048 as the Key Size

26
● Complete the required
and optional fields.
XYZ Company
1) “Common Name”
(DNS Server Name)
2) Organization and
Optional fields
3) NO ABBREVIATIONS in
“State or Province” field,
4) 2 character country
code -
5) Click “Create Key Ring”

27
● The KeyRing file name can be anything you want but it must end with .kyr
extension.
● Write down the password of the KeyRing.kyr file, put it in a “sealed envelope”
and store it in a safe place. You are going to need the password again when it
comes time to renew the certificate.
● If you are getting a single server certificate the Common Name is the URL
name to which the server responds. A simple 1 character mistake will cause an
invalid name prompt when the certificate is presented to the browser.
● The Organization (and optional Organization Unit) fields must be completed as
accurately as possible with the legal name of the company.
● Use the City and State of the Organization’s address and NO ABBREVIATIONS
in the State or Province name.
● Enter the standard 2 Character Country code for your country.
● This information will be verified by your CA, is included in the Digital Certificate
and will be presented to every browser that contacts your server, so it's
important to have it correct when you create your KeyRing.kyr file.
28
● The Key Ring Created prompt will display - Click OK
XYZ Company

29
Creating a KeyRing.kyr file - end
• You need to create an account at your 3rd Party vendor.
• You need to purchase an SSL Certificate and know your vendor's procedures
for submitting a CSR.

30
SSL Certificate
 Create a KeyRing file


31
Creating a Certificate Signing Request (CSR) 1
● Open the Server Certificate Admin notes database (The same one we used to
create the KeyRing.kyr file)

32
● Click “2. Create Certificate Request”

33
1) Type the path and
name of the .kyr file
2) Select “Paste into
form on CA's site”
3) Click “Create
Certificate Request”

34
● 1. You will be prompted for the KeyRing password - 2. click “OK”

35
● The Certificate Request will look as depicted below. Copy from the first dash (-)
XYZ Company

36
● To the end of the last dash (–)
● Ctrl +C to copy into your paste buffer.
XYZ Company

37
● Open Notepad and Paste the CSR into the notepad document, just in case you
accidentally copy something else before you complete the 3rd Party CSR.

38
● Click “OK” on the Certificate Request Created window.
XYZ Company

39
Creating a Certificate Signing Request (CSR)
end
● You are now ready to browse to your 3rd Party CA and complete your CSR.
● Follow the instructions for requesting a certificate for your 3rd Party CA

40
SSL Certificate
 Creating a Certificate Signing Request (CSR)


41
You will receive an email from your 3rd Party CA
when your SSL Certificate is complete
● In most instances you will need to download your SSL Certificate from their site.
Julio.Jalapeno@SpicySSL.co
m

42
Steps for configuring your Domino server with a
Third-Party SSL Certificate
 Retrieve SSL Certificate from Vendor


43
There must be a Trusted Root Certificate for your
3rd Party CA in the server's KeyRing.kyr file
● The CAs listed on the left are
automatically included and therefore
trusted in a newly created Domino
KeyRing.kyr file.
● If your CA is not included in the list,
their Trusted Root Certificate will
need to be imported.
● Note: There is a VeriSign
Intermediate CA included. It may or
may not be the correct one for your
certificate.
● Many CAs will now require an
Intermediate Certificate as well as
their Trusted Root.
● Check your 3rd Party CA
documentation for Intermediate
Certificate requirements.
44
Trusted Root & Intermediate Certificates 2
● Some CAs include their Trusted Root and Intermediate certificates in a bundle
or .zip file along with your signed Digital Certificate.
● If they are not, include follow the vendor's instructions and download them.
● Place them in your C:\SSL subdirectory.

45
● I normally double click to open the .crt files and leave them open on my desktop
so I can get the name correct when I install them into the KeyRing.kyr file.

46
● Open the “Server Certificate Admin” database

47
● Select – “3. Install Trusted Root Certificates into Key Ring”

48
1.Input the path and file name of your
KeyRing.kyr file.
2.Type the Certificate Label that will
appear when you choose “View &
Edit Key Ring” (why I keep it open on
the desktop).
3.Select File or Clipboard as Source.
a) If File, input the path and file name
to the retrieved signed certificate.
b) If Clipboard, paste into provided
field.
4.Base 64 encoding is the most

common format unless your vendor
specifies otherwise in their
documentation.
5.Click “Merge Trusted Root Certificate
into Key Ring”.
49
● You will be prompted for the Key Ring password then click “OK”

50
● Click “OK” on the Merge Trusted Root Certificate Confirmation.

51
● Click “OK” on the Certificate received into key ring and designated as trusted
root prompt.

52
Trusted Root & Intermediate Certificates end
● Intermediate Certificates
─ If your CA requires an
Intermediate Certificate, follow
the exact same steps as
installing a Trusted Root
Certificate.
─ Of course you would use a
different Certificate Label and
file name.
● If you get a prompt like the one
on the left while installing your
Signed “Server” Certificate, it
indicates that you are missing
an Intermediate Certificate.

53
SSL Certificate
 Trusted Root and Intermediate Certificates


54
Install Server Certificate into Key Ring 1
● Open the “Server Certificate Admin” database and Click “4. Install Certificate
into Key Ring”

55
1) Input the path and file name of
your KeyRing.kyr file.
2) Select File or Clipboard as
Certificate Source as appropriate.
3) Depending on you choice.
a) If File, input the path and file name
to the retrieved signed certificate.
b) If Clipboard, paste into provided
field.
4) Click “Merge Certificate into Key

Ring.

56
● Input the Key Ring password and click “OK”

57
● Click “OK” on the Merge Signed Certificate Confirmation prompt

58
Install Server Certificate into Key Ring end
● Click “OK” on the Certificate received into key ring prompt

59
SSL Certificate
 Trusted Root and Intermediate Certificates
 Install Server SSL Certificate
7)Setup Domino Server for SSL

60
Copy the KeyRing.kyr and KeyRing.sth file to
your server’s Domino\Data directory 1
● When you create a KeyRing.kyr file a .sth file of the same name which contains
the password for the associated .kyr file is also created.
● Browse to the C:\SSL subdirectory and copy BOTH the .kyr and .sth files.

61
Copy the KeyRing.kyr and KeyRing.sth file to
your server’s Domino\Data directory 1
● Paste the KeyRing.kyr and KeyRing.sth files into your server’s Domino\Data
directory.

62
Setup SSL on the Domino Server 1
● From Domino Administrator Client
1) Configuration tab
2) Server – Current Server Document
3) Edit Server
4) Note: Load Internet configuration
from Server\Internet Sites documents
= Disabled
● This example assumes you are NOT
using Internet Sites documents.
● Using Internet Sites documents will
be explained in the Wildcard SSL
section.

63
● Go to 1. Ports – 2. Internet Ports – 3. Input the name of your KeyRing.kyr file

64
● Scroll to the bottom of the page
• Port 80 (standard port)
1) TCP/IP port Status
• Redirect to SSL will automatically
switch a user to SSL when they
browse to the server without typing
HTTPS:// at the beginning of the
URL
2) Enforce server access settings
• Select Yes to have the server honor
Security Access settings on the
security tab of the server document
3) Enable SSL port status
4) Choose No for the Client certificate
option (we haven’t issued any client
certificates)
5) Save and Close

65
Restart the HTTP Server Task
• Domino Admin Client – Server
Console
• Issue the command
• restart task http

66
Test new SSL Setup 1
● Open your internet browser
● Enter the URL for your server
● Example:
http://hotchilies.spicyssl.com/names.nsf
● You will be prompted for your name
and password if you did not allow
anonymous access.

67
SSL Setup Complete
● Note: Because we
selected “Redirect to
SSL” you will be
automatically switched
to SSL (https://)
● The Browser does not
display any error
prompts.
● The Lock Icon displays.

68
Agenda
 Definitions
 Single Host
• Q&A

Wildcard SSL Certificate 1

Let’s suppose we have set up
DNS entries for
hotchilies.spicyssl.com and for
inotes.spicyssl.com both
pointing to the same server.

When we browse to
hotchilies.spicyssl.com
everything is fine.

But when we browse to
inotes.spicyssl.com

We get: “There is a problem
with this website’s security
certificate”.

This is because the certificate
was issued to hotchilies not
inotes.

70

What is a Wildcard SSL Certificate?

Secures multiple first-level sub-domains (Internet Sites or Servers) as long as
they end with the same domain name.
─ Example:
− www.spicyssl.com
− hotchilies.spicyssl.com
− inotes.spicyssl.com
− traveler.spicyssl.com
− quickr.spicyssl.com
● Most browsers won't work with a Wildcard SSL Certificates of more than one
level. In other words a Wildcard Certificate for *.spicyssl.com will not work for
inotes.mail.spicyssl.com or best.recipe.for.spicyssl.com.

71

Advantages:
─ Can result in big savings if you have more than 3 or 4 sites to secure.
─ Easier to manage especially when it comes time for renewals.
● Disadvantages:
─ If one server is compromised then all the others using that certificate are vulnerable.
─ Some mobile device operating systems may not recognize the wildcard character
(Windows Mobile 5 for example).
● 3rd Party CAs have offer different options:
─ Some allow you to create as many new or sub wildcard certificates (with the same
domain name) as needed, each with a unique private key, making them just as
secure as a single server certificate.
─ Some 3rd Party vendors limit the number of use instances of a Wildcard SSL
certificate.
● Read the License agreements of your CA to be sure you comply with their
requirements.

72

The process of setting up a Domino Server to use a Wildcard SSL Certificate is
the same as a single server certificate.
1) Choose your 3rd Party CA
2) Create a KeyRing file*

*The difference is when you create the KeyRing.kyr file.

Enter *.spicyssl.com or *.yourdomain.com as the “Common Name” in the
Distinguished Name section.

The Domain owner will likely receive an email requesting verification of
Wildcard CSR before issuing the certificate.

73
Creating a Wildcard KeyRing.kyr file 5
● Open the “Server Certificate Admin”
database
● Create a new KeyRing.kyr file
● Give the file a different name
● Example:
C:\SSL\WildSpicySSL.kyr
● Complete the Create Key Ring
document as we did before with
ONE exception, the Common Name
Field
● Use *.spicyssl.com
XYZ Company
(or *.yourdomain.com)

74
Creating a Wildcard KeyRing.kyr file 6
● As long as you are sure you have
entered a new Key Ring File Name,
● Click on “OK” if you receive a
WARNING prompt like the one to the
left.
● Click “OK” on the Key Ring Created

prompt
XYZ Company

75

Follow the remaining procedures as we did for setting up SSL on a Single
Server
7) Setup Domino Server for SSL – but this time we’ll use “Internet Sites”
documents

76

Note the SubjectOrg and SubjectCommonName on the Signed Wildcard
Certificate is *.spicyssl.com (Step 6 Install Server SSL Certificate above).

77
Configure Internet Sites with SSL 9
Enable Internet Sites Documents
● Edit the Server Document
● Basics tab
● Enable “Load Internet configurations
from Server\Internet Sites documents
● Save and Close the server Document

78
Add a Web Internet Site Document
● Domino Admin Client

● Configuration Tab
● Web
● Internet Sites
● Add Internet Site
● Web

79
● Complete the Basic Tab
● Descriptive name for this site
● Organization
● Is this the Default Internet Site?

80
● Define this site’ Home URL on the
Configuration Tab

81
● Security Tab
● Redirect TCP to SSL
● Require Name & Password for
SSL Authentication
● Enter the name of your
WildKeyRing.kyr in the SSL
Options section
● Save and Close the document

82
● Copy the WildKeyRing.kyr and WildKeyRing.sth files to the Domino server’s
data directory.
● Open the Admin Client Server Console and enter the command “Restart task
HTTP”.

83
● Now when we browse to
inotes.spicyssl.com/redirect.nsf:
● We no longer get a SSL Certificate
Error.
● We are prompted for a user name
and password.
● When we click on the lock icon:

● We see the site is identified as:
inotes.spicyssl.com
● The connection to the server is
encrypted.

84
● By clicking View Certificate we see
that the certificate was issued to:
*.spicyssl.com

85
Agenda
 Definitions
 Using 3rd Party Certificate Authorities
 Single Host
 Multi Host with “Wildcard” SSL Certificate

• Q&A

Domino’s Certificate Authority (CA) process

The Domino CA process can issue both Notes ID and Internet Certificates and
runs as an automated process on your Domino server.

It allows you to off-load the tasks of Notes ID creation and Certificate issuing to
others without giving them your certifier ids and passwords.

Internet certificate request are processed more easily.

Maintains Issued Certificate Lists (ICL) and revocation lists.

87
Setting up Domino Certificate Authority
1) Migrate a Notes Certifier to the CA Process
2) Managing the CA process
3) Add an Internet Certifier to the CA process
4) Create a Certificate Request database for the Internet Certifier
5) Create a KeyRing.kyr file
6) Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root certificate into your browser

88
Migrate Notes Certifier to the CA Process 1
● Domino Admin client
1) Configuration Tab
2) Tools
3) Certification
4) Migrate Certifier

89
● Click Select

90
● Browse to the certifier being
migrated and click Select

91
● Click “OK”

92
● Input certifier password and click “OK”

93
● The next slides explain the options on this page.

94
Migrate Certifier Options

Select the server on which the certifier will run.

It is suggested that you leave the default path and name of the ICL database.

How this certifier is protected:

Encrypt Certifier ID with Server ID

This will encrypt the certifier with the server’s ID. No additional password or
action will be required to use this certifier. You can isolate your CA server and
add a password to the server ID for added security.

Require password to activate

More secure but requires that you issue the “tell ca activate <password>”
command after loading the CA task.

Locking ID

High security, if you use this option, I recommend creating a special id. Keep in
mind password expiration or Notes certificate expiration will cause issues. This
option requires that you issue the “tell ca unlock <path\filename> <password>”
command on the server console.

95
Migrate Certifier Options

Certificate Authority Administrator (CAA)

A CAA can create and modify certifiers deployed in the Domino CA.

Only a CAA can edit the “Password recovery” information in a certifier.

The CAA can also add and edit the roles assigned to others.

A CAA must have at least “Editor” access to the Domino Directory.

Best Practice is to assign at least 2 CAAs to each certifier.

Registration Authority (RA)

Approves or denies Notes or Internet certificate requests.

Can revoke certificates that can no longer be trusted.

Must have at least Author access with “Create Document” privilege and “User
Creator” role to the Domino Directory.

The main advantage of separating the roles is to off-load these tasks from the
Domino or CA administrator.

If you use the Web Administrator client, the Domino server must be listed as an
RA.

96
● Add your server as an RA
● Click OK

97
● After a few seconds the Success prompt will appear.
● Click “OK”

98
● To start the CA process, open the Domino Admin Client Server Console and
issue the “load ca” command.

99
 Migrate a Notes Certifier to the CA Process
2) Managing the CA process


100
Commands used to Manage the CA Process
● The most common CA commands are:
● load ca – loads the CA task on the Domino Server
● tell ca refresh – causes the CA task to reload the certifiers list (certifiers will need to
be unlocked or activated again
● tell ca quit – stops the CA task
● tell ca stat – displays summary information about the certifiers including it’s number
● tell ca activate certifier number <password> - activates a specific certifier
● tell ca unlock <path\file.id> <password> - unlocks all certifiers the id protects
● tell ca help – gives a list all of the CA options
● You can also deactivate or lock individual certifiers
● Add the CA task to the ServerTasks= line of your server’s notes.ini so that the
CA task will load at server startup.

101
Agenda
 Definitions
 Single Host

 Migrating a Notes Certifier to the Domino CA
• Q&A

 Managing the CA process


103
Add an Internet certifier to the CA Process 1
● Domino Admin client
1) Configuration
2) Tools
3) Registration
4) Internet Certifier

104
● Select “I want to register a new
internet certifier that uses the CA
process”
● “I have a keyring file I want to
register” would be used if you had an
existing Internet Certifier (R5
Certifier Key Ring) you wanted to
migrate into the CA process
● Click “Ok”

105
● On the Basics tab of the “Register New Internet Certifier” window. Again lets
use Encrypt certifier ID with the Server ID and click “Create Certifier Name”.

106
● The Common Name field is
required.
● Again, no abbreviations in the State
or Province field.
● You can see the Certifier Name
being built as you fill in the various
fields.
● Click “Ok”

107
Certificates Tab
● The “Include CRL distribution point
extension” option, enabled by
default, sets an attribute that
identifies the location of the
Certificate Revocation List (CRL)
● By clicking “Detail” You will see the
location for the CRL will be LDAP on
the Domino server
● “Backdate certificate validity” is also
enabled by default. The time a CA
warrants that it will keep information,
regarding a certificate, is defined as
the certificate validity period.

108
Certificates Tab continued
● By default a certifier is permitted to
issue certificates for all Key Usage
options.
● The two most common keys are
checked as default:
● Digital Signature
● Used when authenticating data
origin integrity.
● Data Encipherment
● Used when public key is used for
encrypting user data.

109
● Key Usage defines the purpose of the certificate. You select all or restrict to only
as few usages as necessary.
● Other Standard Key Usages are:
●
Non-repudiation – used to insure that the sender of a message can not deny having sent
it or the receiver not deny having received it.
●
Key encipherment – used for data encryption protocol in SSL and S/MIME
●
Key agreement – used when sender and receiver need to derive or agree on a key
without using encryption, once agreed, this key is then used to encrypt data
●
Certificate signing – used for verifying a signature on public key certificates
●
CRL signing – used for verifying a signature on Certificate Revocation List
●
Encipher only – must be used in conjunction with Key Agreement – the subject public
key may only be used for encrypting data
●
Decipher only – must be used in conjunction with Key Agreement – the subject public
key may only be used for decrypting data
● Extend keys further refine or restrict the standard key usages.

110
● Key Usage defines the purpose of the certificate. You select all or restrict to only
a few usages for as necessary.
● Examples of Applications and Required Key Usage:
● SSL Client, S/MIME Signing or Object Signing require “Digital Signature”.
● SSL Server and S/MIME Encryption require “Key Encipherment”.
● Certificate Signing requires “Certificate Signing”.
● Choose the options that match your certificate’s purpose.

111
● Since we are going to be using
S/MIME add “Key Encipherment” to
the “Default” selection.

112
On the Misc. tab
1)Click “Create a local copy of the
certifier ID”.
2)Set ID File path and name.
3)Enter the password.
4)Click “OK” the ID file prompt and
again on the “Creating certifier”
dialog box.
In order to have the CA process pick

up the new certifier enter “tell ca
refresh” on the Domino Admin
Server Console.

113
 Add an Internet Certifier to the CA process
4) Create a Certificate Request database for the Internet

Certifier

114
Create Certificate Requests database 1
● From the Notes Client choose File – Application - New

115
1) Select Server
2) File Name
3) Database Title
4) Choose Template server
5) Show advanced templates
6) Select “Certificate Requests
(8)” certreq.ntf
7) Click “OK”

116
● When the database has been created the “About..” document will appear.
● Review the instructions for using the Certificate Request Database.

117
● Select the Server and
Certifier from the drop
down list.
● We are going to use
this Certificate
Request database for
both Client and Server
Certificates.
● Set the Validity Period
as deisred for Client
Requests.
● The default Key and
Extended Key Usages
are adequate for our
purposes .

118
● Select any other “Key Usage”
keywords to suit your installation.
● These are the “Extended Key

Usage” options.

119
Server Request Customization
● Set the Validity Period as
appropriate.
● Again the default Key and Extended
Key Usages can be set as desired.
● If you choose Automatic as the
processing method, another field
“Automatic Transfer Server” will
appear for you to specify the server
running AdminP and to which
requests are to be transferred.
● Mail completed confirmation request
to the requestor “Yes or No”.
● Click “Save & Close”.

120
 Create a Certificate Request database for the Internet Certifier


121
Create KeyRing.kyr for server-based CA 1
● Open the “Certificate Requests”
database we just created.
● In the “Domino Key Ring
Management folder”.
● Select “Create Key Ring”.

122
● Complete the Create Key Ring form
as we have in the previous
examples
● Click “OK” on the Key Ring Created

prompt when it appears

123

The “Trusted Root” certificate for
the Domino Internet CA will
automatically be installed into the
new KeyRing.kyr file.

Note the CA Certificate information
we entered when we created the
Internet Certifier appears as the
Certificate Issuer in the “Merge
Trusted Root Certificate
Confirmation” dialog box.

Verify the information and Click
“OK”.

Click “OK” on the Certificate
received into key ring and
designated as trusted root prompt.

124

When the “Certificate Request Successfully Created for Key Ring” prompt
appears, click “OK”.

125

A CSR will automatically be created.

Since we selected “Manual” as the
processing method in our Certificate
Request database we must submit
the request to AdminP for
processing.
1) Open the Pending/Submitted
Request view in the Certificate
Request database.
2) Select the request.
3) Click “Submit Selected Requests”.
• Click “OK” on the Successfully

submitted prompt

126
● An authorized
Registration
Authority (RA)
must open the
Administration
Request database
and approve the
request.
1) Certificate
Request view.
2) Open the new
request.

127
● Verify the information.
● Edit the request.
● Click “Approve Request”.

128
● Open the Certificate Requests
database
1) Pending/Submitted Request view.
2) Select the document.
3) Click “Pull Selected Requests”.
● Click “OK” on the Successfully pulled

prompt.

129
● Open your mail file and locate
the “Your certificate request
has been approved” message.
● Copy the pickup ID to your
clipboard.

130
● Alternatively, you can open the
Certificate Request Database.
● Go to the Issued/Rejected
Certificates view.
● Open the Certificate Issued
document.
● Copy the Pickup ID from the
Request ID field.
*Not necessary if you copied it

from the email message.

131
● Open the Certificate Request
database.
● Click “Pickup Key Ring
Certificate”.

132
1) Input the path and name of
your KeyRing.kyr file.
2) Input the password for the
KeyRing.kyr file.
3) Paste the Pickup ID into the
last field.
4) Click “Pickup Certificate”.
● Verify the information on the

“Merge Signed Certificate
Confirmation” prompt.
● Click “OK”.

133
● Click “OK” on the Certificate
received into key ring prompt.
● Copy or FTP the KeyRing.kyr

and KeyRing.sth file to the
Domino\Data directory on your
server.

๑๓๔
 Create a KeyRing.kyr file


135
Setup SSL on the Domino Server
● The procedures are the same as
listed for the single server or the
Internet Sites document from
previous examples.
● We are going to Edit the Internet Site
document we used last and replace
the WildKeyRing.kyr with the
DomCAKR.kyr we just created for
Domino Certificate Authority.
● Then issue the “restart task http”
from the Domino Admin Client Server
Console.

136
 Set up SSL on the Domino server
7) Install the Domino Internet Certifier Trusted Root

certificate into your browser

137
Install the Domino Internet Certifier Trusted
Root Certificate into your browser 1
● Oops – When we browse back to our
server, we get the dreaded “There is
a problem with this website’s security
certificate” error
● This is because ?????

138
● The Certificate Authority that we created is not a Trusted Authority in the
browser.
● You can open standard HTTP:// access and send end users a URL link to the
Domino CA Certificate Request database. This database has a built in function
to accept the Domino Certificate Authority as a Trusted Root in their browser as
we are about to see.

139
● Browse to the Domino CA
Certificate Request database,
http://hotchilies.spicyssl.com/c
ertreq.nsf
● Select “Accept This Authority
In Your Browser”

140
● If the browser displays a warning bar at the top of the window, click on it and
then click “Run Add-on”.
● Click “Run” on the Security Warning.
● You will be returned to the Domino CA Certificate Requests database.

● Click “Accept This Authority In Your Browser” again.

141
● Click “Install
Certificate”

142
● Click “Yes” on the Potential
Security Violation prompt.
● Click “Yes” on the Security Warning.

143
● Verify that the Domino CA
Certificate was installed as a
Trusted Root in your browser.
1) Open browser
2) Click “Tools”
3) “Internet Options”

144
● On the “Content” tab
● Select “Certificates”

145
● Go to the “Trusted Root
Certification Authorities” tab.
● Scroll through the list and you
should find your Domino CA
Certificate.
* An alternate method of
installing the Domino CA
Trusted Root certificate is
provides as Appendix 1 at the
end of the presentation

146
 Set up SSL on the Domino server
 Install the Domino Internet Certifier Trusted Root certificate into your browser

147
Agenda

 Definitions
 Single Host
 Domino's Certificate Authority (CA) process

 Migrating a Notes Certifier into Domino CA
 Adding a Internet Certifier to the Domino CA

• Q&A

S/MIME and X.509 Certificates for secure
email 1
● Now that we have Domino Certificate Authority setup with an Internet
Certificate, we can create Internet Certificates for our Notes Clients.
● The CA’s Trusted Root Certificate must be in either the Domino Directory or
the client’s contact database (personal address book), however it’s much
simpler for your Notes clients if it’s in the Domino Directory.
● As the Administrator for your domain, you must decide:
● Issue Internet Certificates via the Domino Admin Client? If your primary goal is
S/MIME encrypted email, you can issue Internet Certificates Request for your
Notes clients from the Domino Admin client. The CA will process the request,
add them to the Person Document and automatically import them in Notes ID
files.
● Or do you want to require Client Certificates in the end user’s browser for
additional access control to your Domino servers? This option requires an end
user to submit a request and pickup the signed certificate from the Domino
Certificate Request database and then install the certificate into their browser?
● Or a combination of the two?

149
email 2
● Administrator adds internet certificates to the Domino Directory:
● The easiest method to accomplish issuing X.509 certificates for email encryption
is for the Domino Administrator to request certificates via the Domino
Administrator client.
● The CA adds the Internet Certificate to the user’s Person Doc in the Domino
Directory.
● When the user authenticates with their home mail server, the Internet
Certificate is automatically merged into the Notes ID file.
● Client Requests Cross Certificate:
● If you want to use browser internet certificates for authentication and SSL
encryption:
● Browse to and request a certificate from the Certificate Request Database.
● An RA approves the request and Domino, the CA processes the request,
submits AdminP request to add the Internet Certificate to the person
document in the Domino Directory. The CA emails the end user a pickup ID
and then the end user installs the certificate into their browser.
● The client merges the Certificate into their Notes ID file.

150
email 3
Administrator Issues Internet
Certificate to the Person
Document
● Be sure the Domino CA
process is setup and running
● Open the Domino Admin
Client
1) People & Groups Tab
2) People
3) Select names to receive
Internet Certificates

151
email 4
● From the Menu Bar
1. Click “Actions”
2. Choose “Add Internet Cert to
Selected People”.

152
email 5
● Choose a Certifier prompt box
1) Select your registration
server.
2) Select “Use the CA
Process”.
3) Select your Internet
Certificate as the “CA
configured certifier”.
4) Click “OK”.

153
email 6
• Review the Information in the
Add Internet Certificate to
Selected Entries box and
click “Certify”.
• Click “OK” on the Processing

Statistics prompt.

154
email 7
● A Certificate Request is added to the AdminP database for each person
selected.

155
email 8
● When the CA processes the Certificate Request, it then creates a “Store
Certificate in Domino or LDAP Directory” request in the AdminP database.

156
email 9
● After a replication cycle completes to the user’s mail server, and the user
accesses their mail file, Lotus Notes sees that there is an Internet Certificate
available in their Person Document and automatically downloads it to their
Notes ID file.

157
email 10
● To View the Internet Certificate
Information in your Notes ID.
1) File
2) Security
3) User Security
● Enter Your Password and click

“Log In”.

158
email 11
● Expand “Your Identity” – Select “Your Certificates” – Choose “Your Internet
Certificates” to view your Internet Certificate information.

159
email 12
● Now the you have an Internet Certificate, how do you go about exchanging
Secure Email with someone else?
● You have to Cross Certify and swap public keys with the other person.
● You do this by sending each other a “Signed” email. The signature contains
your public key information.
● Each must store the other’s public key in their Contact database (Personal
Address Book) by “Adding Sender to Address Book”.
● Then you can send and receive S/MIME encrypted emails.

160
email 13
John.doe@xyzcom
● Create and Sign an email to
your associate.
● After creating the message
select:
1) Delivery Options
2) Sign
3) OK
4) Send

161
email 14
● When your associate opens
the email, they will be
prompted to “Cross Certify”
with the certificate contained
John Doe/XYZ
in your signature.
● Notice that it is your ID that is
doing the cross certification.
● And the server to contain the
certificate will be the “Local”
names.nsf.
● Click “Cross certify”.

162
email 15
● Your associate will need to
add or update the information
in their Contact database by:
● Clicking on “More”
● Add Sender to Contacts
● If they are already in your
Contacts, you will be
prompted to replace the
contact record that is there.
● Be sure “Include X.509

certificates when
encountered” is checked.
● Click “OK”

163
email 16
● You will receive a “Contacts
successfully updated” prompt.
Click “OK”
Your associate must send you a

signed message so that you
can cross certify with their
Internet Certificate.
Once you have both Cross
Certified and have stored
each other’s public key in your
Contacts databases, you can
send and receive S/MIME
encrypted email to each other.

164
email 17
● When you receive an encrypted email, your Notes client will automatically
decrypt the message when opened.
● The status bar at the bottom of your Notes client will display “Decrypting
document…”.
John Doe/XYZ
John Doe/XYZ

165
email 18
● Little Bug….
1) Server Configuration
Document
2) MIME
3) Advanced
4) Advanced Outbound
Message
5) RFC822 Phrase Handling
● If this is set to “Use CN as
phrase” for friendly email reply
addresses, and you are
sending your public key to a
Notes client at another
company, they will have
issues adding your public key
to their Contact database.

166
Agenda

 Definitions
 Single Host

 Secure Email with S/MIME and X.509 Certificates
• Q&A

Agenda

 Definitions
 Single Host

 Secure Email with S/MIME and X.509 Certificates
 Q&A

Links for more information
● http://en.wikipedia.org/wiki/Transport_Layer_Security
● http://www.redbooks.ibm.com/abstracts/redp0046.html?Open
● http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-
revised2_Mar08-2007.pdf (page 66)
● Frequently Asked Questions: Using SSL with Notes and Domino
● http://www-01.ibm.com/support/docview.wss?uid=swg21218820

169
Legal Disclaimer
© IBM Corporation 2011. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without
warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of
the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors,
or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change
at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor
shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
All references to Spicy SSL refer to a fictitious company and are used for illustration purposes only.

Appendices
• Appendix 1
• Install the Domino CA Certifier Trusted Root Certificate Alternate
Method
• Appendix 2
• Requesting, Processing & Installing a Client Certificate from a Domino CA Single
Host
• Appendix 3
• Export a X.509 Certificate from your browser and Import into your Notes ID

Appendix 1
Install the Domino CA Certifier Trusted Root
Certificate alternate method 1
● Click “Continue to the website
(not recommended)”.
● Then click on the “Certificate

Error” in the browser bar

172
Appendix 1
● The Untrusted Certificate
explanation will appear.
● Click “View certificates”.

173
Appendix 1
● Go to the “Certification Path”
tab
● Notice at the bottom of the
prompt box:
“This CA Root certificate is not
trusted because it is not in the
Trusted Root Certification
Authorities store.”
• Double click on the Certificate
Authority name – NOT the
server name

174
Appendix 1
● Click “Install Certificate”.
● The Certificate Import Wizard
will launch.
● Click “Next”.

175
Appendix 1
1) Select “Place all certificates
in the following store”.
2) Click “Browse”.
3) Select “Trusted Root
Certification Authorities”.
4) Click “OK”.

176
Appendix 1
● Click “Next”.
● Then click “Finish”.

177
Appendix 1
● Click “Yes” on the Security
Warning prompt.
● Click “OK” on The import was

successful prompt.

178
Appendix 1
● Close and re-launch your browser. When you browse to your server this
time you should no longer receive a security warning. You should see the
Lock Icon and be prompted for your user name and password.

179
Appendix 2
Requesting, Processing & Installing a Client
Certificate from a Domino CA 1
● Whether you are requesting a Client Certificate from a 3rd Party CA or a Domino
CA, the procedures are basically the same.
1)Browse to the CA’s website.
2)Request a Client Certificate.
3)The CA will process the Certificate Request.
4)The CA will notify you via email that the certificate is ready for pickup.
5)Browse to the CA’s Pickup site.
6)Paste in the Pickup ID.
7)Install the trusted root and signed certificate into your browser.

180
Appendix 2
● Browse to your Domino CA’s
Certificate Request database
● Select “Request Client
Certificate”

181
Appendix 2
● Complete the “Client
Request Form”.
● Remember – No
abbreviations in
State/Province field.
● Domino defaults to a “High
Grade” Key for client
certificates.
● Submit Certificate Request.
● “Certificate Request Has

Been Submitted” will
display on success.

182
Appendix 2
● The next 3 Procedures are
performed by the Registration
Authority (RA)
1) Open Certificate Request
database
2) Pending/Submitted Request view
3) Select appropriate document(s)
4) Click “Submit Selected Requests”

183
Appendix 2
1) Admin Request
database
2) Certificate Request view
3) Open New Request
document

184
Appendix 2
● Click “Edit Request”
● Click “Approve Request"

185
Appendix 2
1) Return to Certificate
Request database
2) Pending/Submitted
view
3) Click “Pull Selected
Requests”
● Click “OK”

186
Appendix 2
● The client receives an email with the pickup ID.
● Copy the pickup ID to your clipboard.

187
Appendix 2
● Browse back to the Certifciate
Request application
● Click “Pick Up Client
Certificate”

188
Appendix 2
● Paste the Pickup ID into the
Pickup ID field
● Click “Pick Up Client
Certificate”
● Click “Install Certificate”

189
Appendix 2
● Click “OK’

190
Appendix 3
Export a X.509 Certificate from your browser
and Import into your Notes ID 1
● Once a certificate has been
installed into your browser, you can
Export the certificate and then
Import it into your Notes ID file to be
used for S/MIME Secure Email.
● I will be exporting and importing a
VeriSign Personal Certificate in this
example.
● Open your browser and select
1) Tools
2) Internet Options

191
Appendix 3
● On the “Content” tab
● Click “Certificates”

192
Appendix 3
● On the “Personal” tab
● Select the certificate
● Click “Export”
John Doe

193
Appendix 3
● The “Certificate Export Wizard” will
launch.
● Select “Yes” to export the private

key
● Click “Next”

194
Appendix 3
● Select “Personal Information
Exchange – PKCS #12(.PFX) as
the format.
● Be sure to select “Include all
certificates in the certification path if
possible”
NOTE: If you fail to select “Include all

certificates in the certification path if
possible”, you will get the error to
the right when you try to import your
certificate into your Notes ID.

195
Appendix 3
● Input and confirm a password to
protect your private key.
● Select the folder

● Input a file name Johncert
● Click “Save”
196
Appendix 3
\JohnCert.pfx
\JohnCert.pfx
● Review the information

● Click “Finish”

197
Appendix 3
● Click “OK” on the Exporting your
private exchange key prompt.
● Click “OK” on the Export successful

prompt.

198
Appendix 3
● Open you Notes Client
● File
● Security
● User Security
● Input your password
John Doe

199
Appendix 3
1) Expand Your
Identity
2) Your
Certificates
3) Your Internet
John.Doe@SpicySSL.com Internet Cert
Certificates
4) Get
Certificates
John.Doe@SpicySSL.com John.Doe@SpicySSL.com
Internet Cert

200
Appendix 3
● Select “Import Internet Certificates”
\JohnCert.pfx
● Browse to the .pfx file you just

exported.
● Click “Open” \JohnCert.pfx

201
Appendix 3
● Select “PKCS 12 encoded”
● Click “Continue”
● Input the password used when you

exported the key.
● Click “OK”

202
Appendix 3
● Review the certificates contained in the file and select “Accept All”.
John.Doe@SpicySSL.com
John.Doe@SpicySSL.com John.Doe@SpicySSL.com

203
Appendix 3
● Input your Notes password
John Doe/SpicySSL
● Click “Log In”
● Click “OK”

204

Show 104

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Show 104

Hochgeladen von

Copyright:

Verfügbare Formate

SHOW104

Crispy Certificates with

Tom Truitt | Sr IT Specialist | WorkFlow Studios

© 2011 IBM Corporation

● Symantec Corporation®, VeriSign, Inc.®, Thawte, Inc.®, GeoTrust®,

© 2011 IBM Corporation 2

© 2011 IBM Corporation 3

© 2011 IBM Corporation 4

• Domino's Certificate Authority (CA) 5process

© 2011 IBM Corporation 5

© 2011 IBM Corporation 6

• Domino's Certificate Authority (CA) process

© 2011 IBM Corporation 7

● Public Key Infrastructure (PKI)

● Certificate Authority (CA)

● Certificate Signing Request (CSR)

● X.509 Digital Certificate or Public Key Certificate (PKC)

© 2011 IBM Corporation 8

© 2011 IBM Corporation 9

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation 17

© 2011 IBM Corporation

© 2011 IBM Corporation

2) Create a KeyRing file

© 2011 IBM Corporation

© 2011 IBM Corporation

1) Look in Your Server

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

3) Creating a Certificate Signing Request (CSR)

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

4) Retrieve SSL Certificate from Vendor

© 2011 IBM Corporation

© 2011 IBM Corporation

5) Trusted Root and Intermediate Certificates

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation

4.Base 64 encoding is the most

© 2011 IBM Corporation

© 2011 IBM Corporation

© 2011 IBM Corporation